Advisory 02/2010: MyBB Password Reset Weak Random Numbers Vulnerability

                         SektionEins GmbH
                        www.sektioneins.de

                     -= Security  Advisory =-

     Advisory: MyBB Password Reset Weak Random Numbers Vulnerability
 Release Date: 2010/04/13
Last Modified: 2010/04/13
       Author: Stefan Esser [stefan.esser[at]sektioneins.de]

  Application: MyBB <= 1.4.11
     Severity: Usage of weak random number generation in password reset
               functionality allows predicting the password reset token
               and the randomly generated password, which results in
               account takeover.
         Risk: Critical
Vendor Status: MyBB 1.4.12 was released which partly fixes this vulnerability
    Reference: http://www.sektioneins.com/en/advisories/advisory-022010-mybb-password-reset-weak-random-numbers-vulnerability.html
               http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/

Overview:

  Quote from http://www.mybboard.net
  "MyBB is a discussion board that has been around for a while; it has
   evolved from other bulletin boards into the forum package it is
   today. Therefore, it is a professional and efficient discussion
   board, developed by an active team of developers. The MyBB history
   has been recorded and is available for the interested to read.
   You can also read more about the MyBB team and why they develop
   MyBB in their spare time. We also like to highlight the most
   active and contributing fansites of the MyBB community."

  During evaluation of various password reset implementations it was
  discovered that MyBB uses weak random numbers when generating the
  password reset token and randomly generated passwords.

  A malicious user can takeover arbitrary accounts if PHP processes
  are reused by the webserver. The most common PHP installation:
  mod_php with activated keep-alive request is therefore vulnerable.

Details:

  In various places MyBB seeds the random number generator with the
  mt_srand() function.

    // Setup a unique posthash for attachment management
    if(!$mybb->input['posthash'] && $mybb->input['action'] != "editdraft")
    {
       mt_srand((double) microtime() * 1000000);
       $posthash = md5($mybb->user['uid'].mt_rand());
    }

  Code like this will seed the random number generator with only
  one million different seed values. In addition to that the first
  generated random number will be leaked to the user in form of the
  post hash. Because the user knows his 'uid' it is easy to find the
  seed used by just bruteforcing the one million possibilities.
  A normal desktop PC is able to perform this attack in less than a
  second.

  Because the state of the random number generator is shared by
  requests handled by the same PHP process a password reset triggered
  afterwards will therefore use a state known by the attacker.

  The password reset will first create a random password reset token
  that is sent to the user. If this token is used the second step of
  the password reset will generate a new random password. Both random
  strings are generated by the following function.

     function random_str($length="8")
     {
        $set =array("a","A","b","B","c","C","d","D","e","E","f","F",
                    "g","G","h","H","i","I","j","J","k","K","l","L",
                    "m","M","n","N","o","O","p","P","q","Q","r","R",
                    "s","S","t","T","u","U","v","V","w","W","x","X",
                "y","Y","z","Z","1","2","3","4","5","6","7","8","9");
        $str = '';

        for($i = 1; $i <= $length; ++$i)
        {
           $ch = mt_rand(0, count($set)-1);
           $str .= $set[$ch];
        }

        return $str;
     }

  The problem with this code is that is uses mt_rand() to generate
  the random strings and the state of the mt_rand() number generator
  is known to the remote attacker. He is therefore able to predict
  both the genersted password reset token and also the new password.
  This allows taking over arbitrary accounts.

  This vulnerability was fixed by the vendor by reseeding the random
  number generator on every request with a securely generated seed.
  This renders the discovered attack infeasible but might be vulnerable
  to future attacks. We therefore recommended an additional safeguard
  that might make it into the next release version.

  Furthermore it should be noted that users of the Suhosin Extension
  version 0.9.26 or newer are safe from this class of attacks because
  random numbers generated by rand() and mt_rand() are more secure by
  default.

Proof of Concept:

  SektionEins GmbH is not going to release a proof of concept
  exploit for this vulnerability.

Disclosure Timeline:

  31. March 2010 - Notified the MyBB devs via security contact form
  13. April 2010 - MyBB developers released MyBB 1.4.12
  13. April 2010 - Public Disclosure

Recommendation:

  It is recommended to upgrade to the latest version of MyBB.
  However we hope that our late recommendations for more secure
  random number generation will make it into the next release.

  Grab your copy at:
  http://mybboard.net/downloads

CVE Information:

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  not assigned a name to this vulnerability.

GPG-Key:

  pub  1024D/15ABDA78 2004-10-17 Stefan Esser
  Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C  57DD 4AE1 795E 15AB DA78

Copyright 2010 SektionEins GmbH. All rights reserved.